Package: ikiwiki
Version: 1.33.3
Severity: wishlist
Tags: patch
It was annoying me that I could include .htaccess files in the ikiwiki
svn repository, and so after looking around for a patch to do this
found one, and the relevant comments about the security implications
of this.
Hence, below is a patch that adds an include_files_regexp option,
to enable people to do this if they want too (and also include other
things that would be avoided by default).
Feel free to reject this if you feel it is a bad idea, or modify the
patch if you think the idea is okay, and the code nasty :-)
There are two patches; one is against the version in Debian Etch and one
against the SVN trunk that I checked out this morning. I have tested
the former breifly, but not the latter.
Aaron Wilson
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages ikiwiki depends on:
ii gcc [c-compiler] 4:4.1.1-15 The GNU C compiler
ii gcc-4.0 [c-compiler] 4.0.3-7 The GNU C compiler
ii gcc-4.1 [c-compiler] 4.1.1-21 The GNU C compiler
ii libc6-dev [libc-dev] 2.3.6.ds1-13etch2 GNU C Library: Development Librari
ii libcgi-formbuilder-per 3.03.01-1 Easily generate and process statef
ii libcgi-session-perl 4.14-1 Persistent session data in CGI app
ii libhtml-parser-perl 3.55-1 A collection of modules that parse
ii libhtml-scrubber-perl 0.08-3 Perl extension for scrubbing/sanit
ii libhtml-template-perl 2.8-1 HTML::Template : A module for usin
ii libmail-sendmail-perl 0.79-4 Send email from a perl script
ii libtime-duration-perl 1.02-1 Time::Duration -- rounded or exact
ii libtimedate-perl 1.1600-5 Time and date functions for Perl
ii liburi-perl 1.35-2 Manipulates and accesses URI strin
ii libxml-simple-perl 2.14-5 Perl module for reading and writin
ii markdown 1.0.1-3 Text-to-HTML conversion tool
ii perl 5.8.8-7 Larry Wall's Practical Extraction
Versions of packages ikiwiki recommends:
ii git-core 1:1.4.4.4-2 content addressable filesystem
pn hyperestraier <none> (no description available)
ii subversion 1.4.2dfsg1-2 Advanced version control system
-- no debconf information
diff -Nur ikiwiki-1.33.3/IkiWiki/Render.pm
ikiwiki-1.33.3.aaron/IkiWiki/Render.pm
--- ikiwiki-1.33.3/IkiWiki/Render.pm 2007-02-10 20:27:07.000000000 +0000
+++ ikiwiki-1.33.3.aaron/IkiWiki/Render.pm 2007-10-19 14:50:04.000000000
+0100
@@ -218,7 +218,11 @@
no_chdir => 1,
wanted => sub {
$_=decode_utf8($_);
- if (/$config{wiki_file_prune_regexp}/) {
+ my $includefile =
+ ( defined $config{include_files_regexp}
+ && /$config{include_files_regexp}/ );
+ my $excludefile = (/$config{wiki_file_prune_regexp}/);
+ if ( ! $includefile && $excludefile ) {
$File::Find::prune=1;
}
elsif (! -d $_ && ! -l $_) {
diff -Nur ikiwiki-1.33.3/IkiWiki/Setup/Standard.pm
ikiwiki-1.33.3.aaron/IkiWiki/Setup/Standard.pm
--- ikiwiki-1.33.3/IkiWiki/Setup/Standard.pm 2007-02-10 20:27:06.000000000
+0000
+++ ikiwiki-1.33.3.aaron/IkiWiki/Setup/Standard.pm 2007-10-19
10:54:21.000000000 +0100
@@ -33,6 +33,9 @@
if (exists $setup{exclude}) {
$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$setup{exclude}/;
}
+ if (exists $setup{include_files_regexp}) {
+ $config{include_files_regexp}=qr/$setup{include_files_regexp}/;
+ }
if (! $config{render} && (! $config{refresh} || $config{wrappers})) {
debug("generating wrappers..");
diff -Nur ikiwiki-1.33.3/ikiwiki.pl ikiwiki-1.33.3.aaron/ikiwiki.pl
--- ikiwiki-1.33.3/ikiwiki.pl 2007-02-10 20:27:13.000000000 +0000
+++ ikiwiki-1.33.3.aaron/ikiwiki.pl 2007-10-19 14:48:53.000000000 +0100
@@ -48,6 +48,7 @@
"timeformat=s" => \$config{timeformat},
"sslcookie!" => \$config{sslcookie},
"httpauth!" => \$config{httpauth},
+ "include_files_regexp=s@" =>
\$config{include_files_regexp},
"exclude=s@" => sub {
$config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/;
},
diff -Nur ikiwiki-1.33.3/IkiWiki.pm ikiwiki-1.33.3.aaron/IkiWiki.pm
--- ikiwiki-1.33.3/IkiWiki.pm 2007-02-10 20:27:13.000000000 +0000
+++ ikiwiki-1.33.3.aaron/IkiWiki.pm 2007-10-19 14:49:29.000000000 +0100
@@ -27,6 +27,7 @@
our $version='unknown'; # VERSION_AUTOREPLACE done by Makefile, DNE
sub defaultconfig () { #{{{
+ include_files_regexp => undef,
wiki_file_prune_regexp =>
qr{((^|/).svn/|\.\.|^\.|\/\.|\.x?html?$|\.rss$|\.atom$|.arch-ids/|{arch}/)},
wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]]+)\]\]/,
wiki_file_regexp => qr/(^[-[:alnum:]_.:\/+]+$)/,
Index: IkiWiki/Setup/Standard.pm
===================================================================
--- IkiWiki/Setup/Standard.pm (revision 4599)
+++ IkiWiki/Setup/Standard.pm (working copy)
@@ -24,6 +24,9 @@
push @{$setup{plugin}}, @{$setup{add_plugins}};
delete $setup{add_plugins};
}
+ if (exists $setup{wiki_file_prune_regexp}) {
+ $config{include_files_regexp}=qr/$setup{include_files_regexp}/;
+ }
if (exists $setup{exclude}) {
push @{$config{wiki_file_prune_regexps}}, $setup{exclude};
}
Index: ikiwiki.in
===================================================================
--- ikiwiki.in (revision 4599)
+++ ikiwiki.in (working copy)
@@ -50,6 +50,7 @@
"userdir=s" => \$config{userdir},
"htmlext=s" => \$config{htmlext},
"libdir=s" => \$config{libdir},
+ "include_files_regexp=s@" =>
\$config{include_files_regexp},
"exclude=s@" => sub {
push @{$config{wiki_file_prune_regexps}}, $_[1];
},
Index: IkiWiki.pm
===================================================================
--- IkiWiki.pm (revision 4599)
+++ IkiWiki.pm (working copy)
@@ -31,6 +31,7 @@
sub defaultconfig () { #{{{
return
+ include_files_regexp => undef,
wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
qr/\.x?html?$/, qr/\.ikiwiki-new$/,
qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//,
@@ -1039,7 +1040,11 @@
$file =~ s#^\Q$base\E/*##;
my $regexp='('.join('|', @{$config{wiki_file_prune_regexps}}).')';
- return $file =~ m/$regexp/;
+ my $includefile = 0;
+ $includefile = 1 if (defined $config{include_files_regexp}
+ && $file =~ m/&& /$config{include_files_regexp}/ );
+
+ return (!$includefile && $file =~ m/$regexp/);
} #}}}
sub gettext { #{{{
